One of the key changes brought about by the General Data Protection Regulation (GDPR), which came into force on 25 May 2018, was a substantial increase in the maximum fines available for data protection breaches, to the higher of €20 million or 4% of global annual turnover. Any breaches which occurred prior to this date were subject to a maximum of £500,000 set by the Data Protection Act 1998 – and this former upper limit was only invoked once, in the case of Facebook and its part in the Cambridge Analytica scandal. Many commentators pointed out that half a million pounds was “chump change” for the likes of tech giants. The same couldn’t be said of the £183 million fine which the Information Commissioner’s Office (ICO) levied on British Airways (BA) less than a year later.
According to the ICO, a malicious hack of BA’s website began in June 2018 (ie after the GDPR came into force) and led to the personal details of some 500,000 passengers being compromised, including names, emails and credit card information. The record breaking fine amounts to 1.5% of the worldwide turnover of BA in 2017 – so it could have potentially been a lot higher. It has been reported that BA will appeal the fine.
Following the announcement of the BA fine, the ICO took another bite out of corporate profits with its new teeth the very next day, proposing a £99.2 million fine for the international hotel group Marriott as a consequence of a data breach in which cyberattackers stole the records of around 339 million guests.
These GDPR level fines, rather than being merely being symbolic, are probably a sign of things to come. Companies which have hitherto paid lip service to cybersecurity – particularly those which process vast amounts of personal information – need to sit up and take note of the ICO’s new armoury.
Image cc by Descrier on Flickr.